This website uses cookies primarily for visitor analytics. Certain pages will ask you to fill in contact details to receive additional information. On these pages you have the option of having the site log your details for future visits. Indicating you want the site to remember your details will place a cookie on your device. To view our full cookie policy, please click here. You can also view it at any time by going to our Contact Us page.

Remote partial proof-testing of overfill prevention systems supports safer operations

Author : AnnCharlott Enberg, Emerson

16 June 2021

Overfill prevention systems must be periodically proof-tested to confirm their ability to perform correctly when required. AnnCharlott Enberg, Global Functional Safety Manager at Emerson, explains how the digital technology in advanced level measurement devices enables partial proof-testing to be performed remotely rather than on location, and describes the benefits this provides.

(Click here to view article in digital edition)

Overfilling storage tanks containing hazardous, flammable or explosive materials can have devastating consequences. Product spills can cause injuries or even fatalities, as well as significant damage to plant assets and the surrounding environment.

Image 1: Comprehensive proof-testing can require operators to enter hazardous locations or work at height to access level measurement devices, causing a potential safety risk.

To minimise the risk of an overfill occurring, best practice involves employing several independent layers of protection. The first line of defence is the basic process control system (BPCS) that monitors and controls the production processes. This first layer of protection is critical, because if the BPCS is functioning correctly, there is no need for the other layers of protection to become active.

An independent second layer of protection is provided by an overfill prevention system (OPS), which is normally dormant but operates when the BPCS fails to prevent the tank level from passing the critical high point. The OPS will alert an operator, close valves and/or shut down pumps to stop the situation from escalating.

A third layer of protection is typically provided by a dyke or concrete wall that surrounds the tank, to contain a spill. Traditionally, such containment areas have been monitored through visual inspection by site workers on patrol. However, recent developments in guided wave radar technology now enable these devices to provide automatic level monitoring in these areas, thereby increasing the safety of both the environment and personnel. If required, the fourth and final layer of protection would be alerting the emergency services.

Image 2: The latest digital technology available enables operators to initiate remote partial proof-tests by issuing a command from the control room.

OPS compliance requirements

The design and implementation of an OPS should comply with the main global safety standards that relate to overfill prevention. These are:

- The International Electrotechnical Commission’s IEC 61511 standard, which outlines best safety practices for implementing a modern OPS within the process industry. IEC 61511 is an industry-specific adaptation of the IEC 61508 standard for functional safety.

- The American Petroleum Institute’s API 2350 standard, which provides minimum requirements to comply with modern best practices in the specific application of non-pressurised above-ground large petroleum storage tanks. API 2350 can also be applied to certain tanks outside this specific scope.

The need for reliability

Image 3: Partial proof-tests bring the PFD of a device back to a percentage of the original level and ensure it fulfils its specified SIL requirement.

An automated OPS includes three basic elements for each of its safety instrumented functions (SIF). These are a sensor to monitor the product level, a logic solver to poll the sensor and act when necessary, and a final control element to safely shut down the process. A formal methodology has been established to assess the reliability of each of these components and then calculate the overall reliability of the OPS. The term probability of failure on demand (PFD) is used to indicate reliability. PFD is the likelihood that the component or system could fail when it is needed. Implementing robust and reliable hardware reduces PFD and risk, and therefore increases the reliability of an OPS.

The importance of proof-testing

Hardware becomes more likely to fail as it ages. However, periodically checking the functionality of OPS components confirms their ability to perform as required when there is a safety demand, and verifies that they are operating at the necessary safety integrity level (SIL) for the application. Such checks are known as proof-tests and involve testing each component of an OPS individually as well as the complete SIF. The PFD of a SIF increases over time after commissioning. Performing a proof-test resets the PFD to a lower value and ensures that the SIF provides the risk reduction it was designed to do.

Advanced level measurement instruments for OPS applications incorporate diagnostic software that detects a failure and takes the device to a safe state. However, some failures that prevent the device from performing its primary function remain undetected by the device during normal operation. These are known as dangerous undetected failures (DUs) and are identified during proof-testing. DUs are expressed as failures in time (FIT) and measured in DUs per 109 hours in operation. Given the importance of DU rates, the reduction of DUs has been a specific aim in the design of the latest level measurement technology. Advanced diagnostics capability enables the electronic and mechanical health of these devices to be monitored continuously, with the result that the number of DUs is significantly reduced.

The effectiveness of a proof-test in finding DUs is known as the proof-test coverage factor, and this should be as high as possible. Ideally, it would reach 100%, but the reality is that proof-tests are not 100% effective. A high proof-test coverage factor does not always ensure a low PFD, but all things being equal, a device with a lower FIT rate will achieve a lower PFD.

Two types of proof-test – comprehensive and partial – may be performed in compliance with both IEC 61511 and API 2350.

Image 4: The remote partial proof-testing capabilities of modern devices provide a safe, quick, simple and cost-effective means of establishing their integrity.

Comprehensive proof-tests

Comprehensive proof-tests achieve the highest proof-test coverage and involve testing the entire SIF in a single procedure, to ensure all its parts are functioning correctly. This will return the PFD of the SIF back to, or very close to, its original level. These tests are traditionally performed manually by technicians in the field, with another worker stationed in the control room to verify the reaction of the system.

To provide proof that a level sensor is functioning correctly, the product level in the tank can be raised manually to the activation point of the device under test. The danger of this approach is that if the device is a high-level sensor and fails to activate during the test, this could lead to a spill that would constitute a safety risk. This method is also time-consuming and can lead to the process being offline for an extended period, with significant cost implications.

An alternative approach is to remove the instrument from the tank and perform a simulated test, known as an immersion test, in a different environment, such as a bucket. A significant disadvantage of this method is that it can involve workers having to climb tanks to access an instrument, thereby putting their safety at risk. Performing proof-tests in this way is also prone to human errors and can lead to tanks being taken out of service for an extended period, thus affecting profitability. In addition, if the instrument is removed from a tank containing a hazardous or unpleasant product, the test would be performed in water instead. This would then fail to prove that the device would work in the specific application, and the proof-test coverage would consequently be reduced.

Partial proof-tests

Partial proof-tests have a reduced scope compared to comprehensive tests and are performed to ensure an individual device has no internal problems. Partial tests bring the PFD of a device back to a percentage of the original level and ensure it fulfils its specified SIL requirement. Whereas a comprehensive proof-test verifies all three functional elements of a device – output circuitry, measurement electronics and sensing element – a partial test verifies only one or two of them. However, a combination of partial tests that covers all three functional elements will reach a proof-test coverage close to that of a comprehensive test.

Partial tests do not replace comprehensive tests – they complement them. As a partial test detects only a percentage of potential failures, a comprehensive test must eventually be carried out after a given time interval to return a device to its original PFD. However, partial testing is quicker to perform, requires less interference with operations, and can crucially provide a technical justification for extending the time interval between comprehensive tests, while remaining within regulatory requirements. This then provides organisations with the freedom to schedule testing around planned shutdowns, which can reduce costs significantly.

AnnCharlott Enberg, Global Functional Safety Manager at Emerson
AnnCharlott Enberg, Global Functional Safety Manager at Emerson

Remote partial proof-testing

Proof-testing has traditionally been performed on location. However, the digital technology available in modern level measurement devices enables operators to perform partial proof-testing remotely instead. As an example, let us consider vibrating fork switches, which typically provide high and low limit detection in an OPS. In the latest advanced devices, remote partial proof-testing can be performed by issuing a HART® command from the control room. Upon receiving the command, a device enters test mode, whereby its fork frequency is simulated for on, off and alarm conditions. It then cycles though the different current output levels, verifying that there are no faults preventing the device from switching from the on state to the off state, or vice versa. If the proof-test detects an issue, this is reported upon its completion. The device then automatically returns to operational mode, eliminating the risk of it accidentally being left in test mode.

Remote partial proof-testing can be performed very quickly, with the device remaining installed and overfill conditions being simulated to activate the detector and generate an alarm signal. This simulation eliminates the risk of spills, saves time, and means that workers do not need to climb tanks and/or be exposed to their contents, thereby increasing safety. The ability to perform partial proof-testing remotely has consequently become a key selection criterion when implementing OPS level measurement technology.

About the author:

AnnCharlott Enberg began working in functional safety 20 years ago, as CEO for SILTECH AB. She was then business unit director for DEKRA AB and SRE site responsible process safety engineer for Akzo Nobel AB, and is now global functional safety manager at Emerson. Her focus has been to work closely with the industry to ensure safe processes in engineering systems through HAZOP, FMEA and LOPA, to ensure risk reduction and optimise personal/human design processes. AnnCharlott’s goal is to continue to make SIS devices easier to implement and to increase safety globally. She was selected as Global Manager of the Year in 2020 by the International Association of Top Professionals (IAOTP).


Contact Details and Archive...

Print this page | E-mail this page